Organisations in the US are adopting AI at a faster clip than their security and compliance efforts, highlighting a growing governance gap, according to a report from cybersecurity audit business Thoropass.
The 2026 State of Audit and Compliance Report found that 69% of compliance and IT professionals believe that AI tool adoption in their organisation is outpacing their ability to put in place adequate controls and safeguards. Only 6% of respondents say their AI governance is more advanced than their AI adoption efforts.
Reflecting this governance gap, as many as 82% of respondents view AI as an active and material compliance threat, with 57% believing that AI-related data misuse or exposure is most likely to result in regulatory action or customer fallout this year. Meanwhile, 45% of respondents are concerned about regulatory scrutiny of AI usage and 35% are concerned about a lack of audit evidence for AI-related controls.
Sam Li, CEO of Thoropass, said: “AI has moved faster than governance. Most organisations didn’t plan for how quickly employees and teams would adopt AI tools, and compliance programmes are now racing to catch up. What we’re seeing is a widening gap between innovation and oversight.”
More than half of respondents (51%) listed sensitive data exposure via AI tools as their top AI-related risk, following by employees using unapproved shadow AI tools (43%) and third-party AI vendor risk (38%).
AI-related data exposure or misuse was also the top security concern, with 55% of respondents citing that as their biggest breach worry, followed by data leakage or privacy incidents (48%). That was significantly higher than traditional cyber breaches, such as ransomware attacks (33%).
The report showed that organisations are moving from seeing compliance as a box-ticking exercise to a continuous risk management function, with 64% of respondents saying they are investing in compliance to reduce risk.
The report was based on a survey of more than 500 security, IT and compliance professionals.
AI tool use within corporate legal teams is increasing. A report published earlier this month by FTI Consulting and Relativity found that generative AI use within legal teams had almost doubled to 87% over the past year.
However, another report published this month by Womble Bond Dickinson found that companies are pushing ahead with AI implementation without fully understanding the operational risks and long-term legal implications.
Email your news and story ideas to: [email protected]
